Hacker claims attack on U.S. airline, stolen no-fly list was out of boredom

The Transportation Security Administration is investigating cybersecurity chaos at CommuteAir after a hacker claimed to have accessed the regional airline’s systems and grabbed a no-fly list.

The hacker told The Washington Times they likely could have canceled and delayed flights and developed physical credentials for airline employees.

CommuteAir said it was not able to validate all of the hacker’s claims.

The hacker, who identifies as “maia arson crimew,” communicated with The Times via email. The hacker also explained the hack in a blog post titled “How to Completely Own an Airline in 3 Easy Steps.”

The hacker cited boredom as motivation and wrote that they were not responsible for the computer system failure that grounded all airlines in the U.S. on Jan. 10.

Asked whether someone with the same access to CommuteAir would have had an opening to make physical credentials for airline employees and to cancel and delay flights, the hacker said they believed so. 

“Presumably yes, though due to the complexity of said [application programming interface], and the sensibility of it (given its production airline systems) I opted not to probe very deeply, so I cannot confirm this with certainty,” the hacker said in an email.

The cybersecurity trouble at CommuteAir comes on the heels of the massive Jan. 10 computer disruption that grounded all U.S. air travel for the first time since the Sept. 11, 2001, terrorist attacks.

The Federal Aviation Administration said it was not the result of a cyberattack but caused by contract workers unintentionally deleting computer files. 

The TSA is investigating the cybersecurity failures at CommuteAir, and no one involved in uncovering and investigating the failures has said they found any connection to the FAA service interruption. 

“TSA is aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners,” TSA spokesman R. Carter Langston said in a statement. 

The cyber flaws at CommuteAir and the technical snafu at the FAA put a spotlight on the transportation sector’s vulnerability to human error and cyber attackers. 

The problems at the airline ensued because a default password for a server was not changed, according to CommuteAir. The airline said the server was accessed by the hacker who discovered a 2019 version of the TSA’s No Fly List and found personally identifiable information on CommuteAir employees. 

The No Fly List is a subset of the federal government’s terrorist watchlist that contains the names of known and suspected terrorists. 

The hacker alerted the airline to the problem with its systems.

“Based on our initial investigation, no customer data was exposed,” CommuteAir spokesman Erik Kane said in a statement. “CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency.”

CommuteAir flies from three hubs, including Denver, Houston and Dulles International Airport just outside Washington. CommuteAir operates regional flights for United Airlines, which acquired a 40% ownership stake in CommuteAir in 2016, according to CommuteAir’s website.

Both the hacker and CommuteAir said the no-fly list accessible via the airline’s server is a 2019 version of the TSA’s list. The hacker told The Times that the version does not contain the nationalities and countries of origin for people on the list and exclusively shows names and dates of birth. 

The hacker uncovering CommuteAir’s problems has previously faced scrutiny from U.S. law enforcement. Maia arson crimew identifies on Twitter as indicted, 23 years old and a “polyam trans lesbian anarchist kitten.” A Wikipedia page for crimew explains the hacker was formerly known as Tillie Kottmann, among other aliases. 

In 2021, a grand jury in the Western District of Washington indicted Tillie Kottman for computer intrusion and identity and data theft. The hacker and co-conspirators were accused of breaching dozens of companies and governments.  

The hacker did not expect extradition to the U.S. to happen anytime soon as of 2021, according to The Associated Press.